3 million Let’s Encrypt TLS Certificates revoked due to CAA bug

An estimated 3 million Transport Layer Security (TLS) certificates issued by Let’s Encrypt are set to be revoked due to a Certificate Authority Authorization (CAA) bug. This represents 2.6% of the more than 116 million active certificates issued by Let’s Encrypt.

The issuer Let’s Encrypt did contact all the certificate holders affected by the bug, and also created a tool and a list of serial numbers to determine if your TLS certificate is affected by the bug. Use this link to check your site’s host name if your Let’s Encrypt-issued certificate is affected. Here is the list of all affected serial numbers.

Let’s Encrypt have not set an exact time for revocation of the certificates, however, they say that the earliest timeframe will be UTC 00:00.

Why WP-VCD Is the Most Prevalent WordPress Malware Infection

It is also possible that some certificate holders may have received false-positive emails that they’re affected, but they may have received that alert erroneously, either because the certificate was issued in the last few days after the bug was fixed, or by not meeting certain timing criteria necessary for the bug to trigger, adding to confusion.

What really happened technically?

According to Let’s Encrypt, Boulder, the software builder used by Let’s Encrypt’s CA, checks CAA records for a domain name at the same time that it verifies that a certificate requester controls that domain. Most subscribers to the service issue a certificate immediately after they validate domain control, however, Let’s Encrypt trusts that validation for 30 days.

Due to that trust issue, they sometimes have to recheck CAA records a second time, just prior to issuing the certificate. The timeframe for rechecking is 8 hours, meaning that any domain name validated more than 8 hours ago requires a recheck.

See the explanation below

The bug: when a certificate request contained N domain names that needed CAA rechecking, Boulder would pick one domain name and check it N times. What this means in practice is that if a subscriber validated a domain name at time X, and the CAA records for that domain at time X allowed Let’s Encrypt issuance, that subscriber would be able to issue a certificate containing that domain name until X+30 days, even if someone later installed CAA records on that domain name that prohibit issuance by Let’s Encrypt.

Let’s Encrypt confirmed the bug at 2020-02-29 03:08 UTC, and halted issuance two minutes later. They deployed a fix at 05:22 UTC and re-enabled certificate issuance at that time.

98% of top US websites not secure against cyber attacks like Magecart, Formjacking and XSS

Security researcher Scott Helme, who Tweeted out his investigation had this to say:

Will anything happen if I don’t fix this?

To explain a bit more, Secure TLS certificates always ensure that your site visitors receive encrypted traffic between their browsers and your website. Because of the bug, your site visitors might see a certificate revoked error, a “not secure” warning, or other security warnings in their browser that may erode trust in your site.

Wonderful!, just before you go: Please subscribe to our website for the latest tips, ideas, and recommendations to make your WordPress site wonderful.

Subscribe to Blog via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 151 other subscribers

One Comment

%d bloggers like this: